Can I determine if the SolarWinds TFTP server dated April 2019 is compromised?
SolarWinds has been in the news due to the hack of their servers. It is unclear how far back the compromise goes. The only product I have used from them is their free TFTP server. Has the "fingerprint" of the compromise been documented to allow determination if a specific download is affected? Are the compromised files now detectable with commercial virus/malware scanners?
Solution 1:
The SolarWinds cyberattack was a supply chain attack. The nation-state threat actor(s) gained access to the SolarWinds Orion build system and added a backdoor to a legitimate Orion DLL, namely SolarWinds.Orion.Core.BusinessLayer.dll
. This DLL was then distributed to SolarWinds customers via their automatic update platform used to push out new software updates. This DLL is loaded by SolarWinds.BusinessLayerHost.exe
. The free SolarWinds TFTP Server does not use this update mechanism.
To date, the free TFTP server is not listed by SolarWinds as compromised. See https://www.solarwinds.com/securityadvisory for detailed information.
IOCs can be found at https://github.com/sophos-cybersecurity/solarwinds-threathunt and elsewhere.